Splunk Search

Macro expansion via SPL/REST

Path Finder

I have a search that returns all of my correlation searches for a given app.  

| rest splunk_server=local count=0 /services/saved/searches
| where match('action.correlationsearch.enabled', "1|[Tt]|[Tt][Rr][Uu][Ee]")
| rename eai:acl.app as app, title as csearch_name, action.correlationsearch.label as csearch_label, action.notable.param.security_domain as security_domain
| search app=my_app 
| table csearch_name, csearch_label, app, security_domain, qualifiedSearch, description


This works fine and gives the desired output.  However, I would like to add a line in there that would automatically expand any macros in the qualifiedSearch field.


search `azuread` "body.operationName"="Add member to role"

but return: 
search sourcetype=mscs:azure:eventhub "body.operationName"="Add member to role"


Is there a lookup or macroExpand function that I could add to my SPL to do this?

Labels (2)
Tags (3)
0 Karma


I also was looking for something that did this for a really long time and could never find anything. 
I know about the CMD+SHIFT+E to expand macros on the UI but needed the same functionality inline in a search to use for meta-analysis (breaking down SPL to its components and analyzing).

I feel like there is some way of doing this that exists somewhere but have not had much luck finding it. 
So went ahead and tried making a custom command to do it and it actually seems to work out pretty well.
I do want to note that this custom command is recursive in a sense that it expands the macros all the way down. Meaning that if there are nested macros that this will expand the nested ones as well all the way unil there are no more macros to expand. So end result should be a fully detailed SPL that is being executed. It will also replace the input args with the values it finds in the input field so it will also return that SPL that would run for that specific search with the given arguments.
You can see an example of the output here (this particular example is derived from a dashboard, so input arguments are still tokenized and will be represented as such in the "expanded_spl" field):


If you are still interested in this than you can give this a try, I think it will require entries in a commands.conf, searchbnf.conf metadata/local.meta and a custom python script in bin/

There is also a dependency on Splunk Python SDK.

Send me a message and I can get it packed up in a custom app to share if you still are needing this functionality.

0 Karma
Get Updates on the Splunk Community!

.conf24 | Day 0

Hello Splunk Community! My name is Chris, and I'm based in Canberra, Australia's capital, and I travelled for ...

Enhance Security Visibility with Splunk Enterprise Security 7.1 through Threat ...

(view in My Videos)Struggling with alert fatigue, lack of context, and prioritization around security ...

Troubleshooting the OpenTelemetry Collector

  In this tech talk, you’ll learn how to troubleshoot the OpenTelemetry collector - from checking the ...